Due to its prevalence in today's society and popularity for connecting financial resources and data sources, the internet and connected networks have become a hub for criminal activity. To detect, monitor, and learn about criminal behavior, security personnel often implement one or more honeypot devices within a network. Honeypot devices are security mechanisms that can appear to be attractive targets to an outside observer (e.g., a threat actor), but nonetheless monitor the threat actor's behavior and may assist in defending the network from the threat actor.
Often times, however, honeypots are easily identified by threat actors. For example, when a threat actor surveys a network, they may first attempt to establish a connection with one or more devices on the network via a connection tool. The threat actor would then expect to receive one of two pieces of information from the connection tool based on the outcome of the connection attempt. They would expect to receive either (1) a notification that the port they have tried to connect to on the device is closed (based on a lack of response from the device); or (2) that the port they have tried to connect to is open, and that the next stage of the applicable protocol used to connect to that port should be conducted. If the threat actor receives neither, he or she may quickly conclude they are dealing with a honeypot.
Once the threat actor identifies a device as a honeypot, they may take steps to avoid the honeypot in future network activity. For example, the internet protocol (IP) addresses of these devices may be blacklisted and avoided in future interactions with the network.
A need exists, therefore, for methods and systems that overcome the above disadvantages of existing honeypot devices.